Command Service + Look2Me unable to remove

ataghit · Apr 17, 2006

Hi,

after much cleaning of a severe messed up laptop with AVG Free edition, Ad-aware and Spybot (every program updated as of yesterday) I am stucked with:

Command Service
Config.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
System Service
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Look2Me.Topconvertin
File
c:\Windows\System32\guard.tmp

The guard.tmp can be removed everytime but Command Service entries cannot and the file appears in the next start up.

I've been doing this in secure mode and starting Spybot at startup as recomended in some threads.

I just don't know how to move from here.

Here is a hkt after spybot removed the file and fails with de cmdSevice.

Thanks very much for all your help.

Ataghit

------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:37:45, on 17/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.224.187.18:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *osi.telefonica-data.com;*.tdcorp;172.24.*;*.tesa;*.telefonica;10.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [3COMMonitor] C:\Archivos de programa\3Com\3Com Wireless Card Manager\Monitor.exe
O4 - HKLM\..\Run: [Conceptronic Conceptronic 54Mbps Wireless Utility] C:\Archivos de programa\Conceptronic\Conceptronic 54Mbps Wireless Utility\WLANmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] ndst32.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MS Sys Security] mswin.pif
O4 - HKCU\..\Run: [Compaq Service Drivers] ndst32.exe
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKCU\..\RunServices: [Compaq Service Drivers] ndst32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097159454133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = td.inet
O17 - HKLM\Software\..\Telephony: DomainName = td.inet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = td.inet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = td.inet
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Network Browser (NBSystem) - Unknown owner - C:\WINDOWS\system32\nbsystem.exe (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Archivos de programa\Trend Micro\OfficeScan Client\ntrtscan.exe (file missing)
O23 - Service: Performance Logs (Perfhmon) - Unknown owner - C:\WINDOWS\System32\Perfhmon.exe (file missing)
O23 - Service: Print Spool Handler (Print Spooler) - Unknown owner - C:\WINDOWS\System32\spooler.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
O23 - Service: Detector de OfficeScanNT (tmlisten) - Unknown owner - C:\Archivos de programa\Trend Micro\OfficeScan Client\tmlisten.exe (file missing)

LonnyRJones · Apr 20, 2006

Hi ataghit

I'm thinking a re-format and install windows again this time immediately getting all windows updates would be the best way to go, what do you think ?

If you'd like to try cleaning start by downloading and running
Look2Me-Destroyer: http://www.atribune.org/content/view/28/

Post its log please

ataghit · Apr 22, 2006

Thank you for your answer!! I'd like to give it a try at cleaning after all the time I’ve spent on it.

You are absolutely right. I barely connect the laptop to the Internet, when I did (dial-up) it wasn't updated, therefore cached just about everything cacheable.

I've done the Look2Me-Destroyer part. Attached is its log and a hijack log after the look2me cleaning.

Thanks again for your help!

Ataghit

#########################

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 22/04/2006 9:13:07

Infected! C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0037699.dll
Infected! C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0038705.dll
Infected! C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039711.dll
Infected! C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039724.dll
Infected! C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039730.dll
Infected! C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039736.dll
Infected! C:\WINDOWS\system32\cnmaddin.dll
Infected! C:\WINDOWS\system32\cObview.dll
Infected! C:\WINDOWS\system32\cqm.dll
Infected! C:\WINDOWS\system32\dhsshlex.dll
Infected! C:\WINDOWS\system32\dzsetup.dll
Infected! C:\WINDOWS\system32\ennql1551.dll
Infected! C:\WINDOWS\system32\enp2l17o1.dll
Infected! C:\WINDOWS\system32\fp2q03f5e.dll
Infected! C:\WINDOWS\system32\hr6205joe.dll
Infected! C:\WINDOWS\system32\hrr6059se.dll
Infected! C:\WINDOWS\system32\ic41_qcx.dll
Infected! C:\WINDOWS\system32\idnathlp.dll
Infected! C:\WINDOWS\system32\ir60l5jm1.dll
Infected! C:\WINDOWS\system32\ir62l5jo1.dll
Infected! C:\WINDOWS\system32\ir8ol5l31.dll
Infected! C:\WINDOWS\system32\j8p00i7me8.dll
Infected! C:\WINDOWS\system32\jzsh400.dll
Infected! C:\WINDOWS\system32\k8800ilme8qa0.dll
Infected! C:\WINDOWS\system32\kddda.dll
Infected! C:\WINDOWS\system32\l0r0la9m1d.dll
Infected! C:\WINDOWS\system32\l48m0el1ehq.dll
Infected! C:\WINDOWS\system32\lvj8091ue.dll
Infected! C:\WINDOWS\system32\lxasrv.dll
Infected! C:\WINDOWS\system32\mkang.dll
Infected! C:\WINDOWS\system32\mlident.dll
Infected! C:\WINDOWS\system32\mpratelc.dll
Infected! C:\WINDOWS\system32\mqorcl32.dll
Infected! C:\WINDOWS\system32\mvr2l99o1.dll
Infected! C:\WINDOWS\system32\mwrddm.dll
Infected! C:\WINDOWS\system32\nzmkcert.dll
Infected! C:\WINDOWS\system32\o4ro0e93eh.dll
Infected! C:\WINDOWS\system32\otbcint.dll
Infected! C:\WINDOWS\system32\pfrfts.dll
Infected! C:\WINDOWS\system32\qtap.dll
Infected! C:\WINDOWS\system32\rcvpmsg.dll
Infected! C:\WINDOWS\system32\rxgsvc.dll
Infected! C:\WINDOWS\system32\rypsnd.dll
Infected! C:\WINDOWS\system32\s688lglu16q8.dll
Infected! C:\WINDOWS\system32\sfimeng.dll
Infected! C:\WINDOWS\system32\soc_os.dll
Infected! C:\WINDOWS\system32\suriptpw.dll
Infected! C:\WINDOWS\system32\t08u0al9edq.dll
Infected! C:\WINDOWS\system32\tppmonui.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0037699.dll
C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0037699.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0038705.dll
C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0038705.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039711.dll
C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039711.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039724.dll
C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039724.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039730.dll
C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039730.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039736.dll
C:\System Volume Information\_restore{8E86E238-858D-4510-A844-D9F83356C2CB}\RP29\A0039736.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cnmaddin.dll
C:\WINDOWS\system32\cnmaddin.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cObview.dll
C:\WINDOWS\system32\cObview.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cqm.dll
C:\WINDOWS\system32\cqm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dhsshlex.dll
C:\WINDOWS\system32\dhsshlex.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dzsetup.dll
C:\WINDOWS\system32\dzsetup.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ennql1551.dll
C:\WINDOWS\system32\ennql1551.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\enp2l17o1.dll
C:\WINDOWS\system32\enp2l17o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\fp2q03f5e.dll
C:\WINDOWS\system32\fp2q03f5e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hr6205joe.dll
C:\WINDOWS\system32\hr6205joe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrr6059se.dll
C:\WINDOWS\system32\hrr6059se.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ic41_qcx.dll
C:\WINDOWS\system32\ic41_qcx.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\idnathlp.dll
C:\WINDOWS\system32\idnathlp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir60l5jm1.dll
C:\WINDOWS\system32\ir60l5jm1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir62l5jo1.dll
C:\WINDOWS\system32\ir62l5jo1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ir8ol5l31.dll
C:\WINDOWS\system32\ir8ol5l31.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j8p00i7me8.dll
C:\WINDOWS\system32\j8p00i7me8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jzsh400.dll
C:\WINDOWS\system32\jzsh400.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k8800ilme8qa0.dll
C:\WINDOWS\system32\k8800ilme8qa0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\kddda.dll
C:\WINDOWS\system32\kddda.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l0r0la9m1d.dll
C:\WINDOWS\system32\l0r0la9m1d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l48m0el1ehq.dll
C:\WINDOWS\system32\l48m0el1ehq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvj8091ue.dll
C:\WINDOWS\system32\lvj8091ue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lxasrv.dll
C:\WINDOWS\system32\lxasrv.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mkang.dll
C:\WINDOWS\system32\mkang.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mlident.dll
C:\WINDOWS\system32\mlident.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mpratelc.dll
C:\WINDOWS\system32\mpratelc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mqorcl32.dll
C:\WINDOWS\system32\mqorcl32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvr2l99o1.dll
C:\WINDOWS\system32\mvr2l99o1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mwrddm.dll
C:\WINDOWS\system32\mwrddm.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\nzmkcert.dll
C:\WINDOWS\system32\nzmkcert.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o4ro0e93eh.dll
C:\WINDOWS\system32\o4ro0e93eh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\otbcint.dll
C:\WINDOWS\system32\otbcint.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\pfrfts.dll
C:\WINDOWS\system32\pfrfts.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\qtap.dll
C:\WINDOWS\system32\qtap.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rcvpmsg.dll
C:\WINDOWS\system32\rcvpmsg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rxgsvc.dll
C:\WINDOWS\system32\rxgsvc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rypsnd.dll
C:\WINDOWS\system32\rypsnd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\s688lglu16q8.dll
C:\WINDOWS\system32\s688lglu16q8.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\sfimeng.dll
C:\WINDOWS\system32\sfimeng.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\soc_os.dll
C:\WINDOWS\system32\soc_os.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\suriptpw.dll
C:\WINDOWS\system32\suriptpw.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\t08u0al9edq.dll
C:\WINDOWS\system32\t08u0al9edq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tppmonui.dll
C:\WINDOWS\system32\tppmonui.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{552070BB-2299-4906-92A6-99D7C9108759}"
HKCR\Clsid\{552070BB-2299-4906-92A6-99D7C9108759}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{44A630A2-3393-4671-AA37-F9B24B9DB91E}"
HKCR\Clsid\{44A630A2-3393-4671-AA37-F9B24B9DB91E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{82D66F68-3385-421B-A350-4675E06B3E39}"
HKCR\Clsid\{82D66F68-3385-421B-A350-4675E06B3E39}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{69003AA5-F34B-4823-9F26-7C090A154089}"
HKCR\Clsid\{69003AA5-F34B-4823-9F26-7C090A154089}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{811821AA-A89C-43BB-BBC1-8E1AC5D3135B}"
HKCR\Clsid\{811821AA-A89C-43BB-BBC1-8E1AC5D3135B}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C30A2CCF-918F-4E3C-A9F4-0C559C7B7D5A}"
HKCR\Clsid\{C30A2CCF-918F-4E3C-A9F4-0C559C7B7D5A}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{941C8863-9A73-4FD4-8F3C-AA43A33732F6}"
HKCR\Clsid\{941C8863-9A73-4FD4-8F3C-AA43A33732F6}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{21D18646-F1F1-4E39-8EDD-0076D1968C73}"
HKCR\Clsid\{21D18646-F1F1-4E39-8EDD-0076D1968C73}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{21536F5E-C2D4-4A9F-ABFA-28803AB40E6F}"
HKCR\Clsid\{21536F5E-C2D4-4A9F-ABFA-28803AB40E6F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{41444403-3136-4285-BEDC-E40599B1A7E3}"
HKCR\Clsid\{41444403-3136-4285-BEDC-E40599B1A7E3}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{21B8EC90-F468-494D-BCE3-B8EDE867A410}"
HKCR\Clsid\{21B8EC90-F468-494D-BCE3-B8EDE867A410}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0067D9A0-C9B1-4284-A606-8CBEFA5111DA}"
HKCR\Clsid\{0067D9A0-C9B1-4284-A606-8CBEFA5111DA}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6273915E-A111-4B87-ACD4-FCE4118B8FD0}"
HKCR\Clsid\{6273915E-A111-4B87-ACD4-FCE4118B8FD0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{16305EB9-3F8F-44B9-8683-F3605E645412}"
HKCR\Clsid\{16305EB9-3F8F-44B9-8683-F3605E645412}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0E209712-C59E-495F-B5D7-1FDF825F053D}"
HKCR\Clsid\{0E209712-C59E-495F-B5D7-1FDF825F053D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{CC9DA4BB-6411-4EF2-92BD-9CD4B7470E83}"
HKCR\Clsid\{CC9DA4BB-6411-4EF2-92BD-9CD4B7470E83}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{364B36B4-707C-4AE0-AFD5-D02F5A8C4C1A}"
HKCR\Clsid\{364B36B4-707C-4AE0-AFD5-D02F5A8C4C1A}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administradores - Succeeded

#########################################

Logfile of HijackThis v1.99.1
Scan saved at 9:42:56, on 22/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Conceptronic\Conceptronic 54Mbps Wireless Utility\WLANmon.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.224.187.18:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *osi.telefonica-data.com;*.tdcorp;172.24.*;*.tesa;*.telefonica;10.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [3COMMonitor] C:\Archivos de programa\3Com\3Com Wireless Card Manager\Monitor.exe
O4 - HKLM\..\Run: [Conceptronic Conceptronic 54Mbps Wireless Utility] C:\Archivos de programa\Conceptronic\Conceptronic 54Mbps Wireless Utility\WLANmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] ndst32.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MS Sys Security] mswin.pif
O4 - HKCU\..\Run: [Compaq Service Drivers] ndst32.exe
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKCU\..\RunServices: [Compaq Service Drivers] ndst32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097159454133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = td.inet
O17 - HKLM\Software\..\Telephony: DomainName = td.inet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = td.inet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = td.inet
O23 - Service: Automatic Update Service (Automatic Update) - Unknown owner - C:\WINDOWS\System32\wuapi.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Network Browser (NBSystem) - Unknown owner - C:\WINDOWS\system32\nbsystem.exe (file missing)
O23 - Service: NetDDE Server (NetDDEsrv) - Unknown owner - C:\WINDOWS\System32\netddesrv.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Archivos de programa\Trend Micro\OfficeScan Client\ntrtscan.exe (file missing)
O23 - Service: Performance Logs (Perfhmon) - Unknown owner - C:\WINDOWS\System32\Perfhmon.exe (file missing)
O23 - Service: Print Spool Handler (Print Spooler) - Unknown owner - C:\WINDOWS\System32\spooler.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Monitoring (Rpcmon) - Unknown owner - C:\WINDOWS\System32\Rpcmon.exe (file missing)
O23 - Service: Detector de OfficeScanNT (tmlisten) - Unknown owner - C:\Archivos de programa\Trend Micro\OfficeScan Client\tmlisten.exe (file missing)

LonnyRJones · Apr 22, 2006

Please disable SpybotSD TeaTimer for now
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on Resident icon and Uncheck the box next to Teatimer.
"resident tea timer"protection of all-over system settings) active"
Close SpyBot.
We will remind you to turn it on later

Open a command prompt (start run type cmd press enter) type
sc delete "Automatic Update"
press enter, type in
sc delete NBSystem
press enter, type in
sc delete NetDDEsrv
press enter, type in
sc delete Perfhmon
press enter, type in
sc delete "Print Spooler"
press enter, type in
sc delete Rpcmon
press enter, type exit and press enter to exit the command prompt

Start Hijackthis and place a check next to these items If there.
O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] ndst32.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\Run: [MS Sys Security] mswin.pif
O4 - HKCU\..\Run: [Compaq Service Drivers] ndst32.exe
O4 - HKCU\..\Run: [eventwvr] C:\WINDOWS\System32\eventwvr.exe
O4 - HKCU\..\RunServices: [MS Sys Security] mswin.pif
O4 - HKCU\..\RunServices: [Compaq Service Drivers] ndst32.exe
====================================
Hit fix checked and close Hijackthis.
Restart the PC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post a fresh hijackthis log please, be sure to mention any current problems.

ataghit · Apr 22, 2006

Thank you for your answer!

Teatimer is off.
I succeeded deleting all six files.
I fixed the 10 items with hijackthis.

I'm attaching a new log after a restart.

I'm not detecting any current problems... but I keep the troubled laptop off-line to avoid getting anything new until I fix whatever is wrong now and update Windows properly.

Thanks for your help.

Ataghit

##########################

Logfile of HijackThis v1.99.1
Scan saved at 19:29:48, on 22/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atievxx.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Conceptronic\Conceptronic 54Mbps Wireless Utility\WLANmon.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\WinZip\WZQKPICK.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 194.224.187.18:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *osi.telefonica-data.com;*.tdcorp;172.24.*;*.tesa;*.telefonica;10.*;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [3COMMonitor] C:\Archivos de programa\3Com\3Com Wireless Card Manager\Monitor.exe
O4 - HKLM\..\Run: [Conceptronic Conceptronic 54Mbps Wireless Utility] C:\Archivos de programa\Conceptronic\Conceptronic 54Mbps Wireless Utility\WLANmon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1097159454133
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = td.inet
O17 - HKLM\Software\..\Telephony: DomainName = td.inet
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = td.inet
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = td.inet
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Unknown owner - C:\Archivos de programa\Trend Micro\OfficeScan Client\ntrtscan.exe (file missing)
O23 - Service: Detector de OfficeScanNT (tmlisten) - Unknown owner - C:\Archivos de programa\Trend Micro\OfficeScan Client\tmlisten.exe (file missing)

LonnyRJones · Apr 22, 2006

Looking better
Scan and fix with SpyBot twice, let us know if on the second scan any spyware was found.

Do a full system scan with AVG after getting it updated.

If your system is stable now install a firewall then go get all available critical windows updates, several are mentioned here.
http://forums.spybot.info/showthread.php?t=279

Id love to see a Hijackthis log afterwards.

tashi · Apr 29, 2006

This topic is now closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a pm and provide a link to the thread.

Command Service + Look2Me unable to remove

ataghit

New member

LonnyRJones

Security Expert-Emeritus

ataghit

New member

LonnyRJones

Security Expert-Emeritus

ataghit

New member

LonnyRJones

Security Expert-Emeritus

tashi

Member of Team Spybot